New malware Xwo can swipe all your credentials at once


The worst thing about hackers and cybercriminals is that they are often every bit as brilliant as the security experts who are dedicated to stopping them from wreaking havoc online and stealing what isn’t theirs in the digital realm.

Thus, malware continues to evolve and become tougher and tougher to detect and eradicate.

Such is the case with Xwo, a new malware that was first discovered in March and has continued to harass and frustrate private citizens and antivirus think tanks alike.

What Xwo Does

Xwo is not your typical ransomware that holds your data hostage nor cryptocurrency miner that takes command of your processing power for its own devices. Instead it scans systems looking for saved credentials and exposed services. Everything it finds, it sends back to the control server. Xwo is not the thief stealing your data, it’s the scout checking out the lay of the land before the attack comes.

How Xwo Works

It is entirely scanning-based. It scans services including MongoDB, Memcached, MySQL, PostgreSQL, Tomcat, Redis, and FTP for default credentials. It also takes information from default SVN and Git paths. Security experts believe this information-gathering is being done to collect weak points in a system that can be compromised in future large-scale system attacks. The fact that it is not really performing any actions that would make it obvious to the average computer user is what makes Xwo so dangerous.

Similarities to other malwares

Xwo’s infrastructure, which was discovered by cybersecurity experts at AT&T Alien Labs in March 2019, have compared Xwo to previously-identified malware known as MongoLock and X Bash. All three are coded in Python and have similar infrastructures, suggesting that they might be written by the same cybercriminals, or that Xwo is scouting locations for the other two to attack at a later date.

MongoLock is a ransomware that first emerged in January 2017. The ransomware accesses MongoDB databases that are not properly secured, deletes that data, and replaces the database with a new one containing a single file called “readme.txt” which contains the ransom demand which is a set number of bitcoins to be paid to a Bitcoin wallet.

XBash malware is like a Swiss army knife of bad news, containing ransomware, a botnet, a coin miner, and characteristics of a worm. Discovered in 2017, XBash is the brainchild of a criminal organization called the Iron group that may be based in China. It has done damage to both Windows and Linux-based systems. It has a striking similarity to Xwo because it possess a scanner module that can port scan the Internet for servers where services left online don’t have proper security protocol in place.

Fighting Back Against Xwo

The No. 1 way to keep Xwo from infecting your system is to install top-notch anti-malware security software. There might be a perfect cure for Xwo yet, but a good software will have protocol in place to identify when an intrusive presence enters your system and begins running programs without permission.

Photo by Taskin Ashiq on Unsplash